An IDS (Intrusion Detection System) is the term for a mechanism which quietly listens to network traffic in order to detect abnormal or suspicious activity, thereby reducing the risk of intrusion.
There are two distinct major families of IDSs:
An N-IDS needs dedicated hardware, and forms a system which can check packets travelling on one or more network lines, in order to find out if any malicious or abnormal activity has taken place. The N-IDS puts one or more of the dedicated system's network adapters into promiscuous mode. This is a sort of "stealth" mode in which they have no IP address. They no longer have a protocol stack assigned to them, either. It is common to find multiple IDSs on different parts of the network, and particularly to place a probe outside the network in order to study attempted attacks, as well as an internal probe to analyze requests which either passed through the firewall or were made from the inside.
The H-IDS resides on a particular host, and its software therefore covers a broad range of operating systems, such as Windows, Solaris, Linux, HP-UX, Aix, etc.
The H-IDS acts as a daemon or standard service on a host system. Traditionally, the H-IDS analyzes particular information stored in logs (such as syslogs, messages, lastlog, and wtmp) and also captures network packets entering/leaving the host in order to check for signs of intrusion (such as denial-of-service attacks, backdoors, Trojan horses, unauthorized access attempts, malicious code being run, or buffer overrun attacks).
Network traffic is generally (over the Internet, in any case) made of IP datagrams. An N-IDS can capture packets as they travel over the physical connections to which it is attached. An N-IDS contains a TCP/IP stack which reassembles IP datagrams and TCP connections. It can apply the following techniques for recognising intrusions:
This technique is fast (the N-IDS doesn't need to sift through the entire signature database for particular byte sequences) and eliminates some false alarms, and is therefore more efficient. For example, by analysing protocols, N-IDS can tell apart a "Back Orifice PING" (low danger) and a "Back Orifice COMPROMISE" (high danger).
It involves identifying an intrusion just by examining a packet and recognising, within a series of bytes, a sequence which corresponds to a specific signature. For example, searching for the string of characters "cgi-bin/phf", which indicates an attempt at exploiting a hole in the CGI script "phf". This method is also used as a supplement to filters on IP addresses, destinations used by connections and source and/or destination ports. This recognition method can even be refined by combining it with a succession or combination of TCP flags.
This tactic is widespread on "Network Grep" N-IDSs, which are based around capturing raw packets on a monitored connection, and comparing them using a "regular expression" parser, which will attempt to match sequences in the signature base byte-for-byte with the content of the captured packet.
The primary advantage of this technique lies with how easy it is to update, and of course in the large quantity of signatures found in the N-IDS base. However, quantity doesn't necessarily mean quality. For example, the 8 bytes â€œCE63D1D2 16E713CFâ€, when placed at the start of a UDP data transfer, indicate Back Orifice traffic with a default password. Even if 80% of intrusions use the default password, 20% will use personalized passwords and won't necessarily be recognised by N-IDS. For example, if the password is changed to "evade", then the series of bytes will become "8E42A52C 0666BC4A", which automatically protects it from being caught by N-IDS. The technique also unavoidably leads to a large number of false alarms and false positives.
There are other methods for detecting and reporting intrusions, such as Stateful Pattern Matching, and/or auditing dangerous or abnormal network traffic.
The primary methods used by N-IDSs to report and block intrusions are:
The computing media is starting to use the term IPS (Intrusion Prevention System) more and more, as a replacement for "traditional" IDSs or to make a distinction between them.
The IPS is a prevention/protection system for guarding against intrusions, and not just recognising and reporting them like most IDSs do. There are two main characteristics which distinguish a (network) IDS from a (network) IPS:
Article written 29 January 2003 by Cyrille Larrieu.